In the “preventing attacks” phase, a company is challenged to create as much friction as possible to discourage miscreants. However, even in the best and smartest designed cybersecurity postures, miscreants are getting in. A company must have strategies beyond the perimeter to determine if there has been a breach.
Alert management and fast detection is often a gauntlet that a security analyst has to negotiate. When an alarm escalates into an incident, a security analyst must be able to contextualize the incident to what systems and endpoints are affected and where the attack originated. More than that, it has to be determined if the attack is spreading. True contextual awareness will integrate external threat feed data to determine the severity of an attack and what is the proper incident response.
The security analyst must have at his disposal a combination of response options for the suspect endpoint—to deny/quarantine/block or send to the guest network. Preferably, manual or automated responses are included.
A company must be able to deflect the most common malware strains (understanding that the miscreant is innovating, too). Servers and endpoints must have secure configurations. Vulnerabilities are like loose threads on a shirt; if you tease them out long enough, you can rip apart fabrics at the seams.
Even in small networks, endpoints can be lost or never associated with the network infrastructure to begin with. This can happen for a variety of reasons, including server array configurations, new OS/software upgrades, or power surges. Of course, the best cyberattacks emanate in the dark. A security team must be able to dynamically discover endpoints because this is almost impossible to do through manual processes.
The network administrator or security team knows that something is awry in the network; they have received an alarm telling them so. Alarms can be problematic in three ways. An alarm may conflate a benign event with a security incident. Secondly, an alarm may be a replication and come from redundant sources. Lastly, an alarm could be a false positive; the alarm does not reflect accurately what is happening in the network.
CyberSecurity News CDC News